On Friday 2010-11-26 09:25, Pablo Neira Ayuso wrote: >>> BTW, I didn't look at your protocol in deep yet but I'd suggest the >>> following basis to rework it: one netlink message, one rule operation. v>> >> I can agree with that suggestion, so I will be doing that. > >Great, this approach requires more memory because you spend one netlink >header for every rule, but the cost is worth since it provides flexibility. Hm, I remembered a problem with that. With "allow same attribute type multiple times", it is possible to send a single TABLE_REPLACE request message (even if it is 150 MB in size) that the kernel part can then work on. Without it, and instead using per-rule ops, it would mean that I would have to keep a per-fd state (which seems not possible) and make use of the NETLINK_URELEASE notification handler to kill said state when the client goes away unexpectedly. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
